Snapchat Employee Wage Details Leaked In Phishing Scam

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Snapchat has apologised after a phishing attack saw details of its employees’ salaries leaked online.

The photo-sharing app, which is famous for not storing the images it carries (instead deleting them after ten seconds), made the confession in a blog post, confirming that a member of its human resources department had been tricked into handing over payroll information about “some current and former employees”.

The luckless worker had been fooled by an email purporting to come from Snapchat’s CEO asking for a detailed run-down of payment information at the company.

Swift response

Snapchat users themselves have nothing to worry about, the company said, as its servers were not compromised during the incident and user data was not accessed, however it does raise concerns about security within the company.

The firm said it responded “swiftly and aggressively” to the scam, reporting the incident to the FBI within four hours of it occurring, and identifying which employees were affected, offering them two years of free identity-theft insurance and monitoring.

“None of our internal systems were breached, and no user information was accessed,” the company said in a statement. “When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong.

“To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”

Kevin Epstein from security firm Proofpoint said that the phishing attack should serve as yet another reminder to organisations and employees that people remain the weakest link in security.

“Phishing attacks have become so sophisticated that they entice even the most-senior executives to click on a link in email or reply with requested sensitive information, without verbally confirming confidential information directives before sending,” he said.

“People are being used as a key part of criminal attacks; any defence must assume natural human behaviour will occur, and compensate accordingly.”